[Pkg-openssl-changes] r809 - in openssl/branches/jessie_stable/debian: . patches
Kurt Roeckx
kroeckx at moszumanska.debian.org
Sat Jun 11 17:28:50 UTC 2016
Author: kroeckx
Date: 2016-06-11 17:28:50 +0000 (Sat, 11 Jun 2016)
New Revision: 809
Added:
openssl/branches/jessie_stable/debian/patches/Fix-name-length-limit-check.patch
Modified:
openssl/branches/jessie_stable/debian/changelog
openssl/branches/jessie_stable/debian/patches/series
Log:
Fix length check for CRLs. (Closes: #826552)
Modified: openssl/branches/jessie_stable/debian/changelog
===================================================================
--- openssl/branches/jessie_stable/debian/changelog 2016-06-11 17:18:36 UTC (rev 808)
+++ openssl/branches/jessie_stable/debian/changelog 2016-06-11 17:28:50 UTC (rev 809)
@@ -2,8 +2,9 @@
* Disable SSLv2 methods again, changes upstream has split no-ssl2 into
no-ssl2 and no-ssl2-method
+ * Fix length check for CRLs. (Closes: #826552)
- -- Kurt Roeckx <kurt at roeckx.be> Sat, 11 Jun 2016 18:58:08 +0200
+ -- Kurt Roeckx <kurt at roeckx.be> Sat, 11 Jun 2016 19:18:11 +0200
openssl (1.0.1t-1+deb8u2) jessie; urgency=medium
Added: openssl/branches/jessie_stable/debian/patches/Fix-name-length-limit-check.patch
===================================================================
--- openssl/branches/jessie_stable/debian/patches/Fix-name-length-limit-check.patch (rev 0)
+++ openssl/branches/jessie_stable/debian/patches/Fix-name-length-limit-check.patch 2016-06-11 17:28:50 UTC (rev 809)
@@ -0,0 +1,40 @@
+From b583c1bd069f6928c3973dc6d6864930f6c4bb3e Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Wed, 4 May 2016 16:09:06 +0100
+Subject: [PATCH] Fix name length limit check.
+
+The name length limit check in x509_name_ex_d2i() includes
+the containing structure as well as the actual X509_NAME. This will
+cause large CRLs to be rejected.
+
+Fix by limiting the length passed to ASN1_item_ex_d2i() which will
+then return an error if the passed X509_NAME exceeds the length.
+
+RT#4531
+
+Reviewed-by: Rich Salz <rsalz at openssl.org>
+(cherry picked from commit 4e0d184ac1dde845ba9574872e2ae5c903c81dff)
+---
+ crypto/asn1/x_name.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c
+index a858c29..26378fd 100644
+--- a/crypto/asn1/x_name.c
++++ b/crypto/asn1/x_name.c
+@@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
+ int i, j, ret;
+ STACK_OF(X509_NAME_ENTRY) *entries;
+ X509_NAME_ENTRY *entry;
+- if (len > X509_NAME_MAX) {
+- ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
+- return 0;
+- }
++ if (len > X509_NAME_MAX)
++ len = X509_NAME_MAX;
+ q = p;
+
+ /* Get internal representation of Name */
+--
+2.8.1
+
Modified: openssl/branches/jessie_stable/debian/patches/series
===================================================================
--- openssl/branches/jessie_stable/debian/patches/series 2016-06-11 17:18:36 UTC (rev 808)
+++ openssl/branches/jessie_stable/debian/patches/series 2016-06-11 17:28:50 UTC (rev 809)
@@ -20,3 +20,4 @@
openssl_fix_for_x32.patch
ppc64el.patch
Update-S-MIME-certificates.patch
+Fix-name-length-limit-check.patch
More information about the Pkg-openssl-changes
mailing list